Tuesday, May 24, 2011

Reset and recover any Windows PC password using Kon Boot

A couple of previous articles talked about how Microsoft Windows platforms store user passwords and how one can access and crack them to control a PC (links provided at the bottom). Well it is a time consuming process and there is always a chance you may not be able to crack the passwords due to their complexity . It is a bit cumbersome requiring elevated privileges to extract hashes and time to crack them.

Today I present a very simple,elegant and far more powerful tool- Kon-Boot. It is one of the most destructive tools I have ever seen. It is very easy to execute and avoids the hassle of cracking hashes. 
According to the creator's homepage - "Kon-boot is piece of software which allows to change contents of a linux and Windows kernel while booting. It allows to log into a linux system as 'root' user without typing the correct password or to elevate privileges from current user to root. For Windows systems it allows to enter any password protected profile without knowledge of the password". Sounds awesome doesn't it? All you have to do is run this software, resident on a live CD or Usb, it will promptly make some changes in the kernel and voila you have hacked the PC! How cool is that! You do not need to know anything about hashes and all the complicated business associated with it. Currently Kon-Boots can exploit Windows XP,Vista,7 and flavours of Linux including Debian, Gentoo, Fedora and Ubuntu.

Steps to load Kon-Boot

I booted Kon-Boot from the iso (links to download given at the end) in VMWare. A banner displaying Kryptos will be displayed. Press a button and you will note that the screen will change. Once finished load Windows and try to access any account. If you are prompted for a password just type anything and hit enter. In my case I was not even asked for a password! ( I am using Windows XP).

If there is a problem there a few few links you might want to look up which provide information on how to burn a live CD and USB. There are some issued if you have multiple OS. I remember when I used the tool for the first time on my machine having Ubuntu and Vista, and it simply froze with a black screen. For all such problems refer to the websites given on the author homepage.

Note: Please note that the iso that you will download is not empty. Because the size of the tool is very small the size is displayed as 0kB.

Disadvantages and mitigation:

Obviously you must be able to boot Kon-Boot using a live CD/USB. A simple solution to strengthen the security is to implement BIOS password. Secondly physical access to the PC is required to carry out this attack. Needless to say, this privilege should not be granted to an unauthorized personnel.


Although I have shown this tool in a very negative way it has great (and noble) uses. A system administrator can always use it to create new accounts quickly without needing to remember admin passwords. In another scenario if a user forgets his password he can quickly use Kon-Boot to reset their password. Windows has introduced password-reset disk facility but this can be an alternative.
There are many such tools like Kon-Boot but this is probably the most stable and flexible of the lot.

Important Links:
Kon-Boot Homepage
More on Kon Boot and similar tools
Basics of password security and cracking
Cracking passwords using Rainbow Tables

Tuesday, May 17, 2011

Cracking Passwords using Rainbow Tables to hack and recover Windows

A previous article, cracking Windows passwords, talked about how OS passwords are stored, their security and how we can go about cracking and attacking them using bruteforce technique. This is an important aspect of OS hacking and a very notorious topic. Tools such as Ophcrack and JTR(John The Ripper) are available which can use a password file to find out all the passwords. But there is a problem with them being slow, especially for long or complex passwords (containing numbers or symbols). It is because bruteforce algorithms are always the slowest. Later the article introduced the notion of Rainbow Tables which can significantly speed up the process.

Rainbow Tables

Software tools such as JTR take a string, convert it to the hash and compare it with the hash in the supplied password file. Why not compute all these hashes and store it in a table. Basically the idea in its simplest form is to compute hashes of all the words and store them in a table. This way you do not actually need compute hashes and compare. Instead you can straightaway lookup in a table and find the plaintext corresponding to the given hash value.

So this is a rough definition of a rainbow table. Obviously it is much more complex than this. Rainbow tables can be downloaded from freerainbowtables.com or ophcrack for free. Remember ophcrack tool? You can integrate these tables with it thereby allowing you the flexibility to use either bruteforce or rainbow attack. Or you can straightaway download Ophcrack Live CD which will not require any installation and does the job automatically.

Opchcrack Live CD

A live CD/DVD contains an OS that can be booted from the disk itself. When you switch on your PC the bios looks for an OS in your hard drive, disk drive or on your network depending on the given order. The order can be changed from the bios options.

Ophcrack has created an OS which comes with the tool as well as the smallest rainbow table. Remember that XP uses LM (lan manager) hashes by default whereas Vista and later OS use NTLM hashing mechanisms. NTLM is a much more secure hashing scheme and its rainbow tables are far more bigger.

Simple Steps to load Ophcrack LiveCD

Make sure that the boot sequence has Optical Drive above the Hard Drive. Once Opchrack OS has booted ( based on Linux Slack) , it will automatically look for the SAM file in the default directory (C:\Windows\System32) and load them. You can manually search for the SAM file by browsing to /mnt/hda1/Windows/system32/)

Ophcrack automatically selects the alphanum table and starts cracking! You can find the tables in /mnt/live/ophcrack/tables.

Here is a list of passwords that I tried cracking:

NOTE: I had installed Windows XP(ie LM hashes and the XP free small table from Ophcrack) on VMWare on my 2GHz machine. Results may vary!

anadi - 80s
yellowuzumaki- 47.2s
123goldfish- 523.01s
o1m8shi4v548- 203.78s!
himynameisbobandilovelongpasswords0678- "LM hashes empty" .Remember, all passwords with length greater than 14 are stored as NT hashes.

Issues with a Rainbow table attack

A rainbow table is a classic example of time-memory tradeoff. While you can expect dramatic reduction in time consumed they are quite huge. Moreover they do not guarantee 100 percent success. There are different types of tables depending on the character set you expect the password to have. Vista tables are especially large (around 3GB) which can be annoying if you are planning to download them. Alternately you can have CD/DVD shipped to your home for approximately $50  (rainbowtables.com provides this service).

Rainbow table attack is the most reliable and fast attack to crack Windows passwords. XP is the most popular OS from Windows and is still in use even though Microsoft has disbanded its production and maintenance. Due to its tremendous speed and accuracy rainbow attack is a very big threat.

Prevention of Rainbow Attacks


Salting is a technique which introduces random string in the hashed output. This random string, called a salt, may be a username which may be appended to the password before being hashed. Mathematically something like:

This thwarts the normal rainbow attack because now the hash for a given password will be something different(since right at the end a salt is added). Even if you come to know the salt you will need to re-compile the tables accordingly, which can be a tedious task. Unix based OS use salts and are shielded from this attack, sadly Windows Xp or Vista are not.

Using complex and long passwords

The only way to save your a** is if you have a strong password having a few numbers, special characters(maybe add a space or special characters like $ etc) and a long password. A password with length greater than 14 will always be stored as an NT hash.

Enabling Bios Password

Enable Bios password so that an attacker cannot modify the boot sequence. Make sure that hard drive comes above CD/DVD drive and USB drive. If your BIOS allows remove optical drive and USB drive from the boot sequence.

Important Links:

Read the basics of password security and cracking
Ophcrack homepage
Rainbowtables.com homepage
Wiki on Password Cracking
Wiki on Rainbow Tables
Wiki On Salting